SecurityvulnsSECURITYVULNS:DOC:12274xFlow v5.x multiple vuln.
xFlow v5.x multiple vuln.
###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendorlink:http://www.skymarx.com/affiliate_software.html
affected versions:v5.46.11 and previous
orginal advisory:
http://pridels.blogspot.com/2006/04/xflow-v5x-multiple-vuln.html
###############################################
Product info:
After over five years of development, the xFlow has become an industry
leader amongst membership management softwares, and will continue to
dominate. With version 6 in development (written in PHP) and our expanding
premier business services, the xFlow and Skymarx Solutions will soon be
rivaling the largest software providers in the world.
Designed with flexibility in mind, you can easily customize the xFlow to
your exact business needs. Packaged with tons of features, the xFlow
contains everything you need to successfully start your own membership based
business, or manage a large corporation: customizable member database, full
genealogy tracking, transaction system, reporting features, powerful
Member's Only Area, support for 28+ payment processors, plus much more.
###############################################
Vuln. Description:
- SQL inj. vuln.
xFlow contains a flaw that allows a remote sql injection
attacks.Inputpassed to the "position","id" parameters in "
index.cgi" isn't properly sanitised before being used in a SQL query. This
can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action=
view_downline&level=Direct&position=1[SQL]
/members_only/index.cgi?id=[SQL]&username=r0t&seed=
TfgNxKhyqEELQQQKizBWyVShdbOpfugMaQhpuGqI
- XSS vuln.
xFlow contains a flaw that allows a remote cross site scripting attack. This
flaw exists because input passed to "level","position","id","action","page"
paremeter in "index.cgi" isn't properly sanitised before being returned to
the user.
This could allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship between the
browser and the server, leading to a loss of integrity.
examples:
/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action=
view_downline&level=[XSS]&position=10
/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action=
view_downline&level=Direct&position=1[XSS]
/members_only/index.cgi?id=[XSS]&username=r0t&seed=
TfgNxKhyqEELQQQKizBWyVShdbOpfugMaQhpuGqI
/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action
=[XSS]&level=&position=10
/customer_area/index.cgi?id=1&username=r0t&seed=
pWltDqcPcLuedZnXTwCNWldbpJmQANHFHfFvveFY&page=[XSS]
3.Full Path Disclosure & info
examples:
/members_only/index.cgi?id=4&username=r0t&seed=
rjzzBzfrMplgqQMojRgrnALJMoiUeAdlxswNQvbo&action
=[CODE]&level=&position=10
/customer_area/index.cgi?id=1&username=r0t&seed=
pWltDqcPcLuedZnXTwCNWldbpJmQANHFHfFvveFY&page=[CODE]
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/